The Lawsuit

3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 1 of 38
UNITED STATES DISTRICT COURT

DISTRICT OF SOUTH CAROLINA
COLUMBIA DIVISION
Michelle Lynn Sutherland, individually, and 3:24-cv-1016-SAL

C/A No. ________________
on behalf of all others similarly situated,
Plaintiff,
CLASS REPRESENTATION
v.
LEXINGTON MEDICAL CENTER JURY TRIAL DEMANDED
Defendant.
CLASS ACTION COMPLAINT
Plaintiff Michelle Lynn Sutherland (“Plaintiff”), individually, and on behalf of all others
similarly situated, brings this action against the Lexington Medical Center (“LMC”). Plaintiff
brings this action by and through her attorneys, and allege, based upon personal knowledge as to
her own actions, and based upon information and belief and reasonable investigation by their
counsel as to all other matters, as follows.
I. INTRODUCTION
1. Lexington Medical Center is a healthcare network based out of West Columbia,
South Carolina that includes a teaching hospital, five medical centers, seventy doctor’s offices, an
occupational health center, and a specialized care center for Alzheimer’s 1. LMC employs more
than 8,000 people, treats almost 100,000 patients per year, and performs 25,000 surgeries annually.
Id.
2. As part of its operations, LMC collects, maintains, and stores highly sensitive
personal and medical information belonging to its patients, including, but not limited to their full
1
See https://www.lexmed.com/about/ (last accessed Feb. 23, 2024).
names, Social Security numbers, dates of birth, (collectively, “personally identifying information”
or “PII”), medical record numbers, health insurance information, and other protected health
information (collectively, “private health information” or “PHI”), (collectively, “Private
Information”).
3. On October 4, 2023, LMC experienced a data breach incident in which
unauthorized cybercriminals accessed one LMC employee’s email account and individual data
drive which included Private Information belonging to Plaintiff and Class members (the “Data
Breach”). On January 18, 2024, a subsequent investigation by LMC determined that this
employee’s email account and data drive contained a number of files that included the Private
Information concerning Plaintiff and Class members.
4. On February 12, 2024, LMC sent a notice to individuals whose information was
accessed in the Data Breach (the “Data Breach Notice”). An exemplar of the Data Breach Notice
issued by Defendant and filed with the Vermont Attorney General’s Office is attached hereto as
Exhibit A.
5. Because LMC stored and handled Plaintiff’s and Class members’ highly-sensitive
Private Information, it had a duty and obligation to safeguard this information and prevent
unauthorized third parties from accessing this data.
6. Ultimately, LMC failed to fulfill this obligation, as unauthorized cybercriminals
breached LMC’s information systems and databases and had access to vast quantities of Private
Information belonging to LMC’s patients, including Plaintiff and Class members. The Data Breach
was the direct, proximate, and foreseeable results of multiple failings on the part of LMC.
7. The Data Breach occurred because LMC failed to implement reasonable security
protections to safeguard its information systems and databases. Moreover, before the Data Breach
2
occurred, LMC failed to inform the public that its data security practices were deficient and
inadequate. Had Plaintiff and Class members been made aware of this fact, they would have never
provided such information to LMC.
8. LMC’s subsequent handling of the breach was also deficient.
9. As a result of LMC’s negligent, reckless, intentional, and/or unconscionable failure
to adequately satisfy its contractual, statutory, and common-law obligations, Plaintiff and Class
members suffered injuries, but not limited to:
• Lost or diminished value of their Private Information;
• Out-of-pocket expenses associated with the prevention, detection, and

recovery from identity theft, tax fraud, and/or unauthorized use of their
Private Information;
• Lost opportunity costs associated with attempting to mitigate the actual

consequences of the Data Breach, including but not limited to the loss of
time needed to take appropriate measures to avoid unauthorized and
fraudulent charges;
• Time needed to investigate, correct and resolve unauthorized access to their

accounts; time needed to deal with spam messages and e-mails received
subsequent to the Data Breach;
• Charges and fees associated with fraudulent charges on their accounts; and
• The continued and increased risk of compromise to their Private

Information, which remains in LMC’s possession and is subject to further
unauthorized disclosures so long as LMC fails to undertake appropriate and
adequate measures to protect their Private Information.
10. Accordingly, Plaintiff brings this action on behalf of all those similarly situated to
seek relief for the consequences of LMC’s failure to reasonably safeguard Plaintiff’s and Class
members’ Private Information; its failure to reasonably provide timely notification to Plaintiff and
Class members that their Private Information had been compromised; and for LMC’s failure to
3
inform Plaintiff and Class members concerning the status, safety, location, access, and protection
of their Private Information.
II. PARTIES
Plaintiff Michelle Sutherland
11. Plaintiff Sutherland is a resident and citizen of Lexington, South Carolina. Plaintiff
Sutherland was a patient at LMC. Plaintiff Sutherland received LMC’s Data Breach Notice.
Defendant LMC.
12. The LMC is a South Carolina non-profit with its principal place of business located
at 2720 Sunset Blvd W. Columbia, South Carolina 29169. LMC conducts business in this District
and throughout South Carolina.
III. JURISDICTION AND VENUE
13. This Court has subject-matter jurisdiction pursuant to the Class Action Fairness Act
of 2005 (“CAFA”), 28 U.S.C. § 1332(d)(2), because this is a class action in which the matter in
controversy exceeds the sum of $5,000,000, the number of class members exceeds 100, and at
least one Class member is a citizen of a state different from LMC. This Court also has supplemental
jurisdiction pursuant to 28 U.S.C. § 1367(a) because all claims alleged herein form part of the
same case or controversy.
14. This Court has personal jurisdiction over LMC because LMC is headquartered in
South Carolina.
15. Venue is proper in this District under 28 U.S.C. § 1391(b)(2) because a substantial
part of the events or omissions giving rise to Plaintiff’s and Class members’ claims occurred in
this District and because LMC resides in this District.
4
IV. FACTUAL ALLEGATIONS
A. LMC – Background
16. LMC is a healthcare network based out of West Columbia, South Carolina that
includes a teaching hospital, five medical centers, seventy doctor’s offices, an occupational health
center, and a specialized care center for Alzheimer’s 2. As part of its normal operations, LMC
collects, maintains, and stores large volumes of Private Information belonging to its current and
former patients.
17. Current and former patients of LMC, such as Plaintiff and Class members, made
their Private Information available to LMC with the reasonable expectation that any entity with
access to this information would keep that sensitive and personal information confidential and
secure from illegal and unauthorized access. They similarly expected that, in the event of any
unauthorized access, these entities would provide them with prompt and accurate notice.
18. This expectation was objectively reasonable and based on an obligation imposed
on LMC by statute, regulations, industrial custom, and standards of general due care.
19. Unfortunately for Plaintiff and Class members, LMC failed to carry out its duty to
safeguard sensitive Private Information and provide adequate data security, which resulted in
cybercriminals accessing the Private Information of LMC’s current and former patients—Plaintiff
and Class members.
B. The Data Breach
20. According to LMCs’ public statements, cybercriminals breached an LMC
employee’s email account and individual data drive information systems on or about October 4,
2
See https://www.lexmed.com/about/ (last accessed Feb. 23, 2024).
5
2023. On January 18, 2024, after an extensive forensic investigation and manual document review,
LMC discovered that its employee’s email account and associated individual drive contained
Personal Identifiable Information (“PII”) and Protected Health Information(“PHI”) pertaining to
about 1.7 million current and former patients of LMC.
21. On February 12, 2024, LMC sent notice of the Data Breach to all individuals
affected by this data security incident. Notably, the Data Breach Notice does not indicate that
hackers did not exfiltrate patient PII and/or PHI—only that LMC currently has “no way to
determine with certainty whether the unauthorized party accessed these specific file[,]” and that
LMC has yet to uncover evidence of misuse. See Exhibit A at 1-2.
22. LMC estimates that the Private Information belonging to at least 1.7 million
individuals was compromised in this incident.
C. LMC’s Many Failures Both Prior to and Following the Breach
23. LMC collects and maintains vast quantities of Private Information belonging to
Plaintiff and Class members as part of its normal operations. The Data Breach occurred as direct,
proximate, and foreseeable results of multiple failings on the part of LMC.
24. First, LMC inexcusably failed to implement reasonable security protections to
safeguard its information systems and databases.
25. Second, LMC failed to inform the public that its data security practices were
deficient and inadequate. Had Plaintiff and Class members been aware that LMC did not have
adequate safeguards in place to protect such sensitive Private Information, they would have never
provided such information to LMC.
6
26. In addition to the failures that lead to the successful breach, LMC’s failings in
handling the breach and responding to the incident exacerbated the resulting harm to the Plaintiff
and Class members.
27. LMC’s delay in informing victims of the Data Breach that their Private Information
was compromised virtually ensured that the cybercriminals had access to this Private Information
could monetize, misuse and/or disseminate that Private Information before the Plaintiff and Class
members could take affirmative steps to protect their sensitive information. As a result, Plaintiff
and Class members will suffer indefinitely from the substantial and concrete risk that their
identities will be (or already have been) stolen and misappropriated.
28. Plaintiff’s and Class members’ Private Information was exposed to cybercriminals
for the express purpose of misusing the data. As a consequence, they face the real, immediate, and
likely danger of identity theft and misuse of their Private Information. And this can, and in some
circumstances already has, caused irreparable harm to their personal, financial, reputational, and
future well-being. This harm is even more acute because much of the Private Information, such as
healthcare data, is immutable.
29. In short, LMC’s myriad failures, including the failure to timely notify Plaintiff and
Class members that their personal and medical information had been exposed due to LMC’s
security failures, allowed unauthorized individuals to access, misappropriate, and misuse
Plaintiff’s and Class members’ Private Information for four months before LMC finally granted
victims the opportunity to take proactive steps to defend themselves and mitigate the near- and
long-term consequences of the Data Breach.
7
D. Data Breaches Pose Significant Threats
30. Data breaches have become a constant threat that, without adequate safeguards, can
expose personal data to malicious actors. It is well known that PII, and Social Security numbers in
particular, is an invaluable commodity and a frequent target of hackers.
31. In 2022, the Identity Theft Resource Center’s Annual End-of-Year Data Breach
Report listed 1,802 total compromises involving 422,143,312 victims for 2022, which was just 50
compromises short of the current record set in 2021. 3 The HIPAA Journal’s 2022 Healthcare Data
Breach Report reported 707 compromises involving healthcare data, which is just 8 shy of the
record of 715 set in 2021 and still double that of the number of similar such compromises in 2017
and triple the number of compromises in 2012. 4
32. Statista, a German entity that collects and markets data relating to, among other
things, data breach incidents and the consequences thereof, confirms that the number of data
breaches has been steadily increasing since it began a survey of data compromises in 2005 with
157 compromises reported that year, to a peak of 1,862 in 2021, to 2022’s total of 1,802. 5 The
number of impacted individuals has also risen precipitously from approximately 318 million in
2015 to 422 million in 2022, which is an increase of nearly 50%. 6
3
2022 End of Year Data Breach Report, Identity Theft Resource Center (January 25, 2023), available at:
https://www.idtheftcenter.org/publication/2022-data-breach-
report/?utm_source=press+release&utm_medium=web&utm_campaign=2022+Data+Breach+Report.
4
2022 Healthcare Data Breach Report, The HIPAA Journal (January 24, 2023), available at:
https://www.hipaajournal.com/2022-healthcare-data-breach-report/.
5
Annual Number of Data Breaches and Exposed Records in the United States from 2005 to 2022,
Statista, available at: https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-
states-by-number-of-breaches-and-records-exposed/.
6
Id.
8
33. This stolen PII is then routinely traded on dark web black markets as a simple
commodity, with social security numbers being so ubiquitous to be sold at as little as $2.99 apiece
and passports retailing for as little as $15 apiece. 7
34. In addition, the severity of the consequences of a compromised social security
number belies the ubiquity of stolen numbers on the dark web. Criminals and other unsavory
groups can fraudulently take out loans under the victims’ name, open new lines of credit, and cause
other serious financial difficulties for victims:
[a] dishonest person who has your Social Security number can use it to get other
personal information about you. Identity thieves can use your number and your
good credit to apply for more credit in your name. Then, they use the credit cards
and don’t pay the bills, it damages your credit. You may not find out that someone
is using your number until you’re turned down for credit, or you begin to get calls
from unknown creditors demanding payment for items you never bought. Someone
7
What is your identity worth on the dark web? Cybernews (September 28, 2021), available at:
https://cybernews.com/security/whats-your-identity-worth-on-dark-web/.
9
illegally using your Social Security number and assuming your identity can cause
a lot of problems. 8
This is exacerbated by the fact that the problems arising from a compromised social security
number are exceedingly difficult to resolve. A victim is forbidden from proactively changing his
or her number unless and until it is actually misused and harm has already occurred. And even this
delayed remedial action is unlikely to undo the damage already done to the victims:
Keep in mind that a new number probably won’t solve all your problems. This is
because other governmental agencies (such as the IRS and state motor vehicle
agencies) and private businesses (such as banks and credit reporting companies)
will have records under your old number. Along with other personal information,
credit reporting companies use the number to identify your credit record. So using
a new number won’t guarantee you a fresh start. This is especially true if your other
personal information, such as your name and address, remains the same. 9
35. The most sought after and expensive information on the dark web are stolen
medical records which command prices from $250 to $1,000 each. 10 Medical records are
considered the most valuable because unlike credit cards, which can easily be canceled, and social
security numbers, which can be changed, medical records contain “a treasure trove of unalterable
data points, such as a patient’s medical and behavioral health history and demographics, as well
as their health insurance and contact information.” 11 With this bounty of ill-gotten information,
cybercriminals can steal victims’ public and insurance benefits and bill medical charges to victims’
accounts. 12 Cybercriminals can also change the victims’ medical records, which can lead to
8
United States Social Security Administration, Identity Theft and Your Social Security Number, United
States Social Security Administration (July 2021), available at: https://www.ssa.gov/pubs/EN-05-
10064.pdf.
9
Id.
10
Paul Nadrag, Capsule Technologies, Industry Voices—Forget credit card numbers. Medical records
are the hottest items on the dark web, Fierce Healthcare (January 26, 2021), available at:
https://www.fiercehealthcare.com/hospitals/industry-voices-forget-credit-card-numbers-medical-records-
are-hottest-items-dark-web.
11
Id.
12
Medical Identity Theft in the New Age of Virtual Healthcare, IDX (March 15, 2021), available at
https://www.idx.us/knowledge-center/medical-identity-theft-in-the-new-age-of-virtual-healthcare. See
10
misdiagnosis or mistreatment when the victims seek medical treatment. 13 Victims of medical
identity theft could even face prosecution for drug offenses when cybercriminals use their stolen
information to purchase prescriptions for sale in the drug trade. 14
36. The wrongful use of compromised medical information is known as medical
identity theft and the damage resulting from medical identity theft is routinely far more serious
than the harm resulting from the theft of simple PII. Victims of medical identity theft spend an
average of $13,500 to resolve problems arising from medical identity theft and there are currently
no laws limiting a consumer’s liability for fraudulent medical debt (in contrast, a consumer’s
liability for fraudulent credit card charges is capped at $50). 15 It is also “considerably harder” to
reverse the damage from the aforementioned consequences of medical identity theft. 16
37. Instances of Medical identity theft have grown exponentially over the years from
approximately 6,800 cases in 2017 to just shy of 43,000 in 2021, which represents a seven-fold
increase in the crime. 17
38. In light of the dozens of high-profile health and medical information data breaches
that have been reported in recent years, entities like LMC charged with maintaining and securing
patient PII should know the importance of protecting that information from unauthorized
disclosure. Indeed, LMC knew, or certainly should have known, of the recent and high-profile data
also Michelle Andrews, The Rise of Medical Identity Theft, Consumer Reports (August 25, 2016),
available at https://www.consumerreports.org/health/medical-identity-theft-a1699327549/.
13
Id.
14
Id.
15
Medical Identity Theft, AARP (March 25, 2022), available at: https://www.aarp.org/money/scams-
fraud/info-2019/medical-identity-theft.html.
16
Id.
17
Id.
11
breaches in the health care industry: UnityPoint Health, Lifetime Healthcare, Inc., Community
Health Systems, Kalispell Regional Healthcare, Anthem, Premera Blue Cross, and many others. 18
39. In addition, the Federal Trade Commission (“FTC”) has brought dozens of cases
against companies that have engaged in unfair or deceptive practices involving inadequate
protection of consumers’ personal data, including recent cases concerning health-related
information against LabMD, Inc., SkyMed International, Inc., and others. The FTC publicized
these enforcement actions to place companies like LMC on notice of their obligation to safeguard
customer and patient information. 19
40. Given the nature of LMC’s Data Breach, as well as the length of the time LMC’s
networks were breached and the long delay in notification to victims thereof, it is foreseeable that
the compromised Private Information has been or will be used by hackers and cybercriminals in a
variety of devastating ways. Indeed, the cybercriminals who possess Plaintiff’s and Class
members’ Private Information can easily obtain Plaintiff’s and Class members’ tax returns or open
fraudulent credit card accounts in their names.
41. Based on the foregoing, the information compromised in the Data Breach is
significantly more valuable than the loss of, for example, credit card information in a retailer data
breach, because credit card victims can cancel or close credit and debit card accounts. 20 The
18
See, e.g., Healthcare Data Breach Statistics, HIPAA Journal, available at:
https://www.hipaajournal.com/healthcare-data-breach-statistics.
19
See, e.g., In the Matter of SKYMED INTERNATIONAL, INC., C-4732, 1923140 (F.T.C. Jan. 26, 2021).
20
See Jesse Damiani, Your Social Security Number Costs $4 On The Dark Web, New Report Finds,
Forbes (Mar 25, 2020), available at https://www.forbes.com/sites/jessedamiani/2020/03/25/your-social-
security-number-costs-4-on-the-dark-web-new-report-finds/?sh=6a44b6d513f1. See also Why Your Social
Security Number Isn’t as Valuable as Your Login Credentials, Identity Theft Resource Center (June 18,
2021), available at https://www.idtheftcenter.org/post/why-your-social-security-number-isnt-as-valuable-
as-your-login-credentials/.
12
information compromised in this Data Breach is impossible to “close” and difficult, if not
impossible, to change.
42. Indeed, according to the Data Breach Notice Defendant disseminated in February
2024, Defendant’s forensic examination concluded that “the files accessed during the Breach
include billing-related documents that may have included [Class Members’] full name, date of
birth, medical record number, health insurance identification number, patient charge descriptor
information, and billing codes.” Contemporaneous news reports also indicate that hackers may
have accessed certain current or former patients’ Social Security Numbers.
43. Although Defendant contends that electronic medical records were not accessed
during the Data Breach, hackers nevertheless managed to access a treasure trove of valuable and
highly-sensitive PII and PHI. For example, a stolen health insurance identification number coupled
with even minimal PII can be used to submit fraudulent insurance claims for prescription drugs,
medical devices and treatments, and other medical benefits.
44. The additional categories of PHI compromised in the Data Breach would further
facilitate those efforts. Patient charge descriptor information provides a detailed narrative of the
services or procedures performed, including the specific details of the treatment, diagnosis, or tests
conducted, and are typically written in plain language that is easily understandable by patients and
non-medical professionals. Patient billing codes likewise provide considerable insight into a
patient’s medical treatment history, because billing codes used for purposes of reimbursement
from Medicare and private health insurers tend to be uniform in order to streamline billing and
reimbursement efforts.
45. When these sources of information are coupled with a patient’s name, date of birth
and medical record number—a unique identification number used to identify patients across the
13
U.S. medical system and associate medical records compiled by their various healthcare
providers—malevolent actors are able to build a comprehensive medical profiles of millions of
individuals that can then be used to perpetrate health care fraud in their names.
46. Despite the prevalence of public announcements of data breach and data security
compromises, its own acknowledgment of the risks posed by data breaches, and its own
acknowledgment of its duties to keep Private Information private and secure, LMC failed to take
appropriate steps to protect the Private Information of Plaintiff and Class members from
misappropriation. As a result, the injuries to Plaintiff and Class members were directly and
proximately caused by LMC’s failure to implement or maintain adequate data security measures
for its current and former patients.
E. LMC Had a Duty and Obligation to Protect Private Information
47. LMC has an obligation to protect the Private Information belonging to Plaintiff and
Class members. First, this obligation was mandated by government regulations and state laws,
including HIPAA and FTC rules and regulations. Second, this obligation arose from industry
standards regarding the handling of sensitive PII and medical records. Third, LMC imposed such
an obligation on itself with its promises regarding the safe handling of data. Plaintiff and Class
members provided, and LMC obtained, their information on the understanding that it would be
protected and safeguarded from unauthorized access or disclosure.
1. HIPAA Requirements and Violation
48. HIPAA requires, inter alia, that Covered Entities and Business Associates
implement and maintain policies, procedures, systems and safeguards that ensure the
confidentiality and integrity of consumer and patient PII and PHI, protect against any reasonably
anticipated threats or hazards to the security or integrity of consumer and patient PII and PHI,
14
regularly review access to data bases containing protected information, and implement procedures
and systems to detect, contain, and correct any unauthorized access to protected information. See
45 CFR § 164.302, et seq.
49. HIPAA, as applied through federal regulations, also requires private information to
be stored in a manner that renders it, “unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology. . . .” 45 CFR § 164.402.
50. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires entities to
provide notice of a data breach to each affected individual “without unreasonable delay and in no
case later than 60 days following discovery of the breach” (emphasis added).
51. LMC failed to implement and/or maintain procedures, systems, and safeguards to
protect the Private Information belonging to Plaintiff and Class members from unauthorized access
and disclosure.
52. Upon information and belief, LMC’s security failures include, but are not limited
to:
a. Failing to maintain an adequate data security system to prevent data loss;
b. Failing to mitigate the risks of a data breach and loss of data;
c. Failing to ensure the confidentiality and integrity of electronic protected

health information LMC creates, receives, maintains, and transmits in
violation of 45 CFR 164.306(a)(1);
d. Failing to implement technical policies and procedures for electronic

information systems that maintain electronic protected health information
to allow access only to those persons or software programs that have been
granted access rights in violation of 45 CFR 164.312(a)(1);
e. Failing to implement policies and procedures to prevent, detect, contain,

and correct security violations in violation of 45 CFR 164.308(a)(1);
f. Failing to identify and respond to suspected or known security incidents;
15
g. Failing to mitigate, to the extent practicable, harmful effects of security

incidents that are known to the covered entity, in violation of 45 CFR
164.308(a)(6)(ii);
h. Failing to protect against any reasonably-anticipated threats or hazards to

the security or integrity of electronic protected health information, in
i. Failing to protect against any reasonably anticipated uses or disclosures of

electronic protected health information that are not permitted under the
privacy rules regarding individually identifiable health information, in
j. Failing to ensure compliance with HIPAA security standard rules by LMC’s

workforce, in violation of 45 CFR 164.306(a)(94); and
k. Impermissibly and improperly using and disclosing protected health

information that is and remains accessible to unauthorized persons, in
violation of 45 CFR 164.502, et seq.
53. Upon information and belief, LMC also failed to store the information it collected
in a manner that rendered it, “unusable, unreadable, or indecipherable to unauthorized persons,”
in violation of 45 CFR § 164.402.
54. LMC also violated the HIPAA Breach Notification Rule since it did not inform
Plaintiff and Class members about the breach until 130 days after it first discovered the breach.
2. FTC Act Requirements and Violations
55. The FTC has promulgated numerous guides for businesses that highlight the
importance of implementing reasonable data security practices. According to the FTC, the need
for data security should be factored into all business decision making. Indeed, the FTC has
concluded that a company’s failure to maintain reasonable and appropriate data security for
consumers’ sensitive personal information is an “unfair practice” in violation of Section 5 of the
Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. See, e.g., FTC v. Wyndham Worldwide
Corp., 799 F.3d 236 (3d Cir. 2015).
16
56. In 2016, the FTC updated its publication, Protecting Personal Information: A
Guide for Business, which established guidelines for fundamental data security principles and
practices for business. 21 The guidelines note businesses should protect the personal information
that they keep; properly dispose of personal information that is no longer needed; encrypt
information stored on computer networks; understand their network’s vulnerabilities; and
implement policies to correct security problems. 22 The guidelines also recommend that businesses
use an intrusion detection system to expose a breach as soon as it occurs; monitor all incoming
traffic for activity indicating someone is attempting to hack the system; watch for large amounts
of data being transmitted from the system; and have a response plan ready in the event of a
breach. 23 LMC clearly failed to do any of the foregoing, as evidenced by the delay in notifying the
victims of the Data Breach and the type of data exposed.
57. The FTC further recommends that companies not maintain PII longer than is
needed for authorization of a transaction, limit access to sensitive data, require complex passwords
to be used on networks, use industry-tested methods for security, monitor the network for
suspicious activity, and verify that third-party service providers have implemented reasonable
security measures.
58. The FTC has brought enforcement actions against businesses for failing to
adequately and reasonably protect customer data by treating the failure to employ reasonable and
appropriate measures to protect against unauthorized access to confidential consumer data as an
21
Protecting Personal Information: A Guide for Business, Federal Trade Comm’n
(October 2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/protecting-
personal-information-guide-business (last accessed August 15, 2023).
22
Id.
23
Id.
17
unfair act or practice prohibited by the FTCA. Orders resulting from these actions further clarify
the measures businesses must take to meet their data security obligations.
59. Additionally, the FTC Health Breach Notification Rule obligates companies that
suffered a data breach to provide notice to every individual affected by the data breach, as well as
notifying the media and the FTC. See 16 CFR 318.1, et seq.
60. As evidenced by the Data Breach, LMC failed to properly implement basic data
security practices. LMC’s failure to employ reasonable and appropriate measures to protect against
unauthorized access to Plaintiff’s and Class members’ Private Information constitutes an unfair
act or practice prohibited by Section 5 of the FTCA.
61. LMC was fully aware of its obligation to protect the Private Information of its
current and former patients, including Plaintiff and Class members. LMC is a sophisticated and
technologically savvy business that relies extensively on technology systems and networks to
maintain its practice, including storing its patients’ PII, protected health information, and medical
information in order to operate its business.
62. LMC had and continues to have a duty to exercise reasonable care in collecting,
storing, and protecting the Private Information from the foreseeable risk of a data breach. The duty
arises out of the special relationship that exists between LMC and Plaintiff and Class members.
LMC alone had the exclusive ability to implement adequate security measures to its cyber security
network to secure and protect Plaintiff’s and Class members’ Private Information.
3. Industry Standards and Noncompliance
63. As noted above, experts studying cybersecurity routinely identify businesses as
being particularly vulnerable to cyberattacks because of the value of the Private Information which
they collect and maintain.
18
64. Some industry best practices that should be implemented by businesses dealing
with sensitive Private Information, like LMC, include but are not limited to: educating all
employees, strong password requirements, multilayer security including firewalls, anti-virus and
anti-malware software, encryption, multi-factor authentication, backing up data, and limiting
which employees can access sensitive data. As evidenced by the Data Breach, LMC failed to
follow some or all of these industry best practices.
65. Other best cybersecurity practices that are standard in the industry include:
installing appropriate malware detection software; monitoring and limiting network ports;
protecting web browsers and email management systems; setting up network systems such as
firewalls, switches, and routers; monitoring and protecting physical security systems; and training
staff regarding these points. As evidenced by the Data Breach, LMC failed to follow these
cybersecurity best practices.
66. LMC should have also followed the minimum standards of any one of the following
frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation
PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5,
PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for
Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in
reasonable cybersecurity readiness.
67. LMC failed to comply with these accepted standards, thereby permitting the Data
Breach to occur.
4. LMC’s Own Stated Policies and Promises
68. LMC’s own published privacy policy 24 states that:
24
See https://www.lexmed.com/docs/privacy/Lexmed-privacypractices.pdf (last accessed Feb. 23, 2024).
19
a. [LMC] is required by law to “ensure that health information that identifies you
is kept private, except as such information is required or permitted to be
disclosed by law.”
b. “[LMC] will not use or disclose your health information without your prior
written authorization, except as permitted or required by law …”
69. LMC failed to live up to its own stated policies and promises with regards to data
privacy and data security as cybercriminals were able to infiltrate its systems gain access to the
Private Information belonging to Plaintiff and Class members.
F. Plaintiff and the Class Suffered Harm Resulting from the Data Breach
70. Like any data hack, the Data Breach presents major problems for all affected. 25
71. The FTC warns the public to pay particular attention to how they keep personally
identifying information including Social Security numbers and other sensitive data. As the FTC
notes, “once identity thieves have your personal information, they can drain your bank account,
run up charges on your credit cards, open new utility accounts, or get medical treatment on your
health insurance.” 26
72. The ramifications of LMC’s failure to properly secure Plaintiff’s and Class
members’ Private Information are severe. Identity theft occurs when someone uses another
person’s financial, and personal information, such as that person’s name, address, Social Security
number, and other information, without permission in order to commit fraud or other crimes.
73. According to data security experts, one out of every four data breach notification
recipients become a victim of identity fraud.
25
Paige Schaffer, Data Breaches' Impact on Consumers, Insurance Thought Leadership (July 29, 2021),
available at https://www.insurancethoughtleadership.com/cyber/data-breaches-impact-consumers.
26
Warning Signs of Identity Theft, Federal Trade Comm’n, available at
https://www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft.
20
74. Furthermore, PII has a long shelf-life because it contains different forms of personal
information, it can be used in more ways than one, and it typically takes time for an information
breach to be detected.
75. Accordingly, LMC’s wrongful actions and/or inaction and the resulting Data
Breach have also placed Plaintiff and the Class at an imminent, immediate, and continuing
increased risk of identity theft and identity fraud. According to a recent study published in the
scholarly journal Preventive Medicine Reports, public and corporate data breaches correlate to an
increased risk of identity theft for victimized consumers. 27 The same study also found that identity
theft is a deeply traumatic event for the victims, with more than a quarter of victims still
experiencing sleep problems, anxiety, and irritation even six months after the crime. 28
76. There is also a high likelihood that significant identity fraud and/or identity theft
has not yet been discovered or reported. Even data that has not yet been exploited by
cybercriminals presents a concrete risk that the cybercriminals who now possess Class members’
Private Information will do so at a later date or re-sell it.
77. Data breaches have also proven to be costly for affected organizations as well, with
the average cost to resolve being $4.45 million dollars in 2023. 29 The average cost to resolve a
data breach involving health information, however, is more than double this figure at $10.92
million.30
27
David Burnes, Marguerite DeLiema, Lynn Langton, Risk and protective factors of identity theft
victimization in the United States, Preventive Medicine Reports, Volume 17 (January 23, 2020), available
at https://www.sciencedirect.com/science/article/pii/S2211335520300188?via%3Dihub.
28
Id.
29
Cost of a Data Breach Report 2023, IBM Security, available at https://www.ibm.com/reports/data-
breach?utm_content=SRCWW&p1=Search&p4=43700072379268622&p5=p&gclid=CjwKCAjwxOymB
hAFEiwAnodBLGiGtWfjX0vRlNbx6p9BpWaOo9eZY1i6AMAc6t9S8IKsxdnbBVeUbxoCtk8QAvD_B
wE&gclsrc=aw.ds.
30
Id.
21
78. The theft of medical information, beyond the theft of more traditional forms of PII,
is especially harmful for victims. Medical identity theft, the misuse of stolen medical records and
information, has seen a seven-fold increase over the last five years and this explosive growth far
outstrips the increase in incidence of traditional identity theft. 31 Medical Identity Theft is especially
nasty for victims because of the lack of laws that limit a victim’s liabilities and damages from this
type of identity theft (e.g., a victim’s liability for fraudulent credit card charges is capped at $50),
the unalterable nature of medical information, the sheer costs involved in resolving the fallout from
a medical identity theft (victims spend, on average, $13,500 to resolve problems arising from this
crime), and the risk of criminal prosecution under anti-drug laws. 32
79. Here, due to the Breach, Plaintiff and Class members have been exposed to injuries
that include, but are not limited to:
a. Theft of Private Information;
b. Costs associated with the detection and prevention of identity theft and
unauthorized use of financial accounts as a direct and proximate result of
the Private Information accessed during the Data Breach;
c. Damages arising from the inability to use accounts that may have been
compromised during the Data Breach;
d. Costs associated with time spent to address and mitigate the actual and
future consequences of the Data Breach, such as finding fraudulent charges,
cancelling and reissuing payment cards, purchasing credit monitoring and
identity theft protection services, placing freezes and alerts on their credit
reports, contacting their financial institutions to notify them that their
personal information was exposed and to dispute fraudulent charges,
imposition of withdrawal and purchase limits on compromised accounts,
including but not limited to lost productivity and opportunities, time taken
from the enjoyment of one’s life, and the inconvenience, nuisance, and
annoyance of dealing with all issues resulting from the Data Breach, if they
31
Medical Identity Theft, AARP (March 25, 2022), available at: https://www.aarp.org/money/scams-
fraud/info-2019/medical-identity-theft.html.
32
Id.
22
were fortunate enough to learn of the Data Breach despite LMC’s delay in
disseminating notice in accordance with state law;
e. The imminent and impending injury resulting from potential fraud and
identity theft posed because their Private Information is exposed for theft
and sale on the dark web; and
f. The loss of Plaintiff’s and Class members’ privacy.
80. Plaintiff and Class members have suffered imminent and impending injury arising
from the substantially increased risk of fraud, identity theft, and misuse resulting from their Private
Information being accessed by cybercriminals, risks that will not abate within the limited time of
credit monitoring offered by LMC.
81. As a direct and proximate result of LMC’s acts and omissions in failing to protect
and secure Private Information, Plaintiff and Class members have been placed at a substantial risk
of harm in the form of identity theft, and they have incurred and will incur actual damages in an
attempt to prevent identity theft.
82. Plaintiff retains an interest in ensuring there are no future breaches, in addition to
seeking a remedy for the harms suffered as a result of the Data Breach on behalf of both themselves
and similarly situated individuals whose Private Information was accessed in the Data Breach.
G. EXPERIENCES SPECIFIC TO PLAINTIFF
1. Plaintiff Sutherland’s Experience
83. Plaintiff Sutherland is a current patient at LMC and has been for many years.
84. Plaintiff Sutherland received LMC’s data breach notice. The notice informed
Plaintiff Sutherland that her Private Information may have been improperly accessed by third
parties, including but not limited to Plaintiff Sutherland’s full name, date of birth, medical record
number, health insurance identification number, patient charge descriptor information, and billing
codes.
23
85. After the breach, Plaintiff Sutherland noticed a dramatic increase in suspicious
activities including spam phone calls, marketing emails, and spam text messages. Plaintiff
Sutherland has also recently experienced fraud in her financial accounts.
86. As a result of the Data Breach, Plaintiff Sutherland has made reasonable efforts to
mitigate the impact of the Data Breach, including, but not limited to, researching the Data Breach
and reviewing credit reports and financial account statements for any indications of actual or
attempted identity theft or fraud. Plaintiff Sutherland has also spent several hours dealing with the
Data Breach, valuable time she otherwise would have spent on other activities, including, but not
limited to, work and recreation.
87. As a result of the Data Breach, Plaintiff Sutherland has suffered anxiety due to the
public dissemination of her personal information, which she believed would be protected from
unauthorized access and disclosure, including anxiety about unauthorized parties viewing, selling,
and using her Private Information for purposes of identity theft and fraud. Plaintiff Sutherland is
concerned about identity theft and fraud, as well as the consequences of such identity theft and
fraud resulting from the Data Breach.
88. Plaintiff Sutherland suffered actual injury from having her Private Information
compromised as a result of the Data Breach including, but not limited to (a) damage to and
diminution in the value of her Private Information, a form of property that LMC obtained from
her; (b) violation of her privacy rights; and (c) present, imminent and impending injury arising
from the increased risk of identity theft and fraud.
89. As a result of the Data Breach, Plaintiff Sutherland anticipates spending
considerable time and money on an ongoing basis to try to mitigate and address harms caused by
24
the Data Breach. And, as a result of the Data Breach, she is at a present risk and will continue to
be at increased risk of identity theft and fraud for years to come.
V. CLASS REPRESENTATION ALLEGATIONS
90. Plaintiff brings this action on behalf of herself and, pursuant to Fed. R. Civ. P.
23(a), 23(b)(2), and 23(b)(3), a Class of:
All persons in the United States whose Private Information was accessed
in the Data Breach.
Excluded from the Class are LMC, its executives and officers, and the Judge(s) assigned to this
case. Plaintiff reserves the right to modify, change or expand the Class definition after conducting
discovery.
91. In the alternative, Plaintiff brings this action on behalf of herself and, pursuant to
Fed. R. Civ. P. 23(a), 23(b)(2), and 23(b)(3), a subclass of:
All persons who are residents of the State of South Carolina whose Private
Information was accessed in the Data Breach (the “South Carolina
Subclass”).
Excluded from the Subclass are LMC, its executives and officers, and the Judge(s) assigned to this
case.
92. Numerosity: Upon information and belief, the Class is so numerous that joinder of
all members is impracticable. The exact number and identities of individual members of the Class
are unknown at this time, such information being in the sole possession of LMC and obtainable by
Plaintiff only through the discovery process. On information and belief, the number of affected
individuals estimated to be 1.7 million. 33 The members of the Class will be identifiable through
information and records in LMC’s possession, custody, and control.
33
See https://medriva.com/breaking-news/lexington-medical-center-data-breach-an-in-depth-analysis-
and-practical-advice-on-data-security/ (last upd. Feb. 20, 2024).
25
93. Existence and Predominance of Common Questions of Fact and Law: Common
questions of law and fact exist as to all members of the Class. These questions predominate over
the questions affecting individual Class members. These common legal and factual questions
include, but are not limited to:
a. When LMC learned of the Data Breach;
b. Whether hackers obtained Class members’ Private Information via the Data
Breach;
c. Whether LMC’s response to the Data Breach was adequate;
d. Whether LMC failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the Private
Information compromised in the Data Breach;
e. Whether LMC knew or should have known that its data security systems
and monitoring processes were deficient;
f. Whether LMC owed a duty to safeguard their Private Information;
g. Whether LMC breached its duty to safeguard Private Information;
h. Whether LMC had a legal duty to provide timely and accurate notice of the
Data Breach to Plaintiff and Class members;
i. Whether LMC breached its duty to provide timely and accurate notice of
the Data Breach to Plaintiff and Class members;
j. Whether LMC’s conduct violated the FTCA, HIPAA, and/or the Consumer
Protection Act invoked herein;
k. Whether LMC’s conduct was negligent;
l. Whether LMC’s conduct was per se negligent;
m. Whether LMC was unjustly enriched;
n. What damages Plaintiff and Class members suffered as a result of LMC’s

misconduct;
o. Whether Plaintiff and Class members are entitled to actual and/or statutory
damages; and
26
p. Whether Plaintiff and Class members are entitled to additional credit or

identity monitoring and monetary relief.
94. Typicality: Plaintiff’s claims are typical of the claims of the Class as Plaintiff and
all members of the Class had their Private Information compromised in the Data Breach. Plaintiff’s
claims and damages are also typical of the Class because they resulted from LMC’s uniform
wrongful conduct. Likewise, the relief to which Plaintiff is entitled to is typical of the Class
because LMC has acted, and refused to act, on grounds generally applicable to the Class.
95. Adequacy: Plaintiff is an adequate class representatives because Plaintiff’s interests
do not materially or irreconcilably conflict with the interests of the Class Plaintiff seeks to
represent, Plaintiff has retained counsel competent and highly experienced in complex class action
litigation, and Plaintiff intends to prosecute this action vigorously. Plaintiff and counsel will fairly
and adequately protect the interests of the Class. Neither Plaintiff nor Plaintiff’s counsel have any
interests that are antagonistic to the interests of other members of the Class.
96. Superiority: Compared to all other available means of fair and efficient adjudication
of the claims of Plaintiff and the Class, a class action is superior. The injury suffered by each
individual Class member is relatively small in comparison to the burden and expense of individual
prosecution of the complex and extensive litigation necessitated by LMC’s conduct. It would be
virtually impossible for members of the Class individually to effectively redress the wrongs done
to them. Even if the members of the Class could afford such individual litigation, the court system
could not. Individualized litigation presents a potential for inconsistent or contradictory judgments.
Individualized litigation increases the delay and expense to all parties and to the court system
presented by the complex legal and factual issues of the case. By contrast, the class action device
presents far fewer management difficulties, and provides the benefits of single adjudication,
27
economy of scale, and comprehensive supervision by a single court. Members of the Class can be
readily identified and notified based on, inter alia, LMC’s records and databases.
VI. CAUSES OF ACTION
COUNT I
NEGLIGENCE
(By Plaintiff on behalf of the Class)
97. Plaintiff incorporates and realleges all allegations above as if fully set forth herein.
98. LMC owes a duty of care to protect the Private Information belonging to Plaintiff
and Class members. LMC also owes several specific duties including, but not limited to, the duty:
a. to exercise reasonable care in obtaining, retaining, securing, safeguarding,

deleting, and protecting Private Information in its possession;
b. to protect patients’ Private Information using reasonable and adequate

security procedures and systems compliant with industry standards;
c. to have procedures in place to detect the loss or unauthorized dissemination

of Private Information in its possession;
d. to employ reasonable security measures and otherwise protect the Private

Information of Plaintiff and Class members pursuant to the FTCA;
e. to implement processes to quickly detect a data breach and to timely act on

warnings about data breaches; and
f. to promptly notify Plaintiff and Class members of the Data Breach, and to
precisely disclose the type(s) of information compromised.
99. LMC owes this duty because it had a special relationship with Plaintiff’s and Class
members. Plaintiff and Class members entrusted their Private Information to LMC on the
understanding that adequate security precautions would be taken to protect this information.
Furthermore, only LMC had the ability to protect its systems and the Private Information stored
on them from attack.
28
100. LMC also owes this duty because industry standards mandate that LMC protect its
patients’ confidential Private Information.
101. LMC also owes a duty to timely disclose any unauthorized access and/or theft of
the Private Information belonging to Plaintiff and Class members. This duty exists to provide
Plaintiff and Class members with the opportunity to undertake appropriate measures to mitigate
damages, protect against adverse consequences, and thwart future misuse of their Private
Information.
102. LMC breached its duties owed to Plaintiff and Class members by failing to take
reasonable appropriate measures to secure, protect, and/or otherwise safeguard their Private
Information.
103. LMC also breached the duties it owed to Plaintiff and Class members by failing to
timely and accurately disclose to them that their Private Information had been improperly acquired
and/or accessed.
104. As a direct and proximate result of LMC’s conduct, Plaintiff and Class members
were damaged. These damages include, and are not limited to:
• Lost or diminished value of their Private Information;
• Out-of-pocket expenses associated with the prevention, detection, and

recovery from identity theft, tax fraud, and/or unauthorized use of their
Private Information;
• Lost opportunity costs associated with attempting to mitigate the actual

consequences of the Data Breach, including but not limited to the loss of
time needed to take appropriate measures to avoid unauthorized and
fraudulent charges; and
• Permanent increased risk of identity theft.
29
105. Plaintiff and Class members were foreseeable victims of any inadequate security
practices on the part of LMC and the damages they suffered were the foreseeable result of the
aforementioned inadequate security practices.
106. In failing to provide prompt and adequate individual notice of the Data Breach,
LMC also acted with reckless disregard for the rights of Plaintiff and Class members.
107. Plaintiff and the Class are entitled to damages in an amount to be proven at trial
and injunctive relief requiring LMC to, inter alia, strengthen its data security systems and
monitoring procedures, conduct periodic audits of those systems, and provide lifetime credit
monitoring and identity theft insurance to Plaintiff and Class members.
COUNT II
NEGLIGENCE PER SE
109. Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, imposes a duty on
LMC to provide fair and adequate data security to secure, protect, and/or otherwise safeguard the
Private Information of Plaintiff and Class members.
110. HIPAA imposes a duty on LMC to implement reasonable safeguards to protect
Plaintiff’s and Class members’ Private Information. 42 U.S.C. § 1302(d), et seq.
111. HIPAA also requires LMC to render unusable, unreadable, or indecipherable all
Private Information it collected. LMC was required to do so through “the use of an algorithmic
process to transform data into a form in which there is a low probability of assigning meaning
without the use of a confidential process or key.” See definition of “encryption” at 45 C.F.R. §
164.304.
30
112. In the event of a data breach, HIPAA obligates Covered Entities and Business
Associates to notify affected individuals, prominent media outlets, and the Secretary of the
Department of Health and Human Services of the data breach without unreasonable delay and in
no event later than 60 days after discovery of the data breach. 45 CFR § 164.400, et seq.
113. LMC violated the FTCA and HIPAA by failing to provide fair, reasonable, or
adequate computer systems and data security practices to secure, protect, and/or otherwise
safeguard Plaintiff’s and Class members’ Private Information.
114. LMC violated HIPAA by failing to properly encrypt the Private Information it
collected.
115. LMC violated HIPAA by unduly delaying reasonable notice of the actual breach;
in this case by 130 days.
116. LMC’s failure to comply with HIPAA and the FTCA constitutes negligence per se.
117. Plaintiff and Class members are within the class of persons that the FTCA and
HIPAA are intended to protect.
118. It was reasonably foreseeable that the failure to protect and secure Plaintiff’s and
Class members’ Private Information in compliance with applicable laws and industry standards
would result in that Information being accessed by unauthorized actors.
119. As a direct and proximate result of LMC’s negligence per se, Plaintiff and Class
members have suffered, and continue to suffer, injuries and damages arising from the unauthorized
access of their Private Information, including but not limited to theft of their personal information,
damages from the lost time and effort to mitigate the impact of the Data Breach, and permanently
increased risk of identity theft.
31
120. Plaintiff and Class members are entitled to damages in an amount to be proven at
trial and injunctive relief requiring LMC to, inter alia, strengthen its data security systems and
monitoring procedures, conduct periodic audits of those systems, and provide lifetime credit
monitoring and identity theft insurance to Plaintiff and Class members.
COUNT III
BREACH OF IMPLIED CONTRACT
122. Plaintiff and Class members provided LMC with their Private Information.
123. By providing their Private Information, and upon LMC’s acceptance of this
information, Plaintiff and the Class, on one hand, and LMC, on the other hand, entered into
implied-in-fact contracts for the provision of data security, separate and apart from any express
contract entered into between the parties.
124. The implied contracts between LMC and Plaintiff and Class members obligated
LMC to take reasonable steps to secure, protect, safeguard, and keep confidential Plaintiff’s and
Class members’ Private Information. The terms of these implied contracts are described in federal
laws, state laws, and industry standards, as alleged above. LMC expressly adopted and assented to
these terms in its public statements, representations and promises as described above.
125. The implied contracts for data security also obligated LMC to provide Plaintiff and
Class members with prompt, timely, and sufficient notice of any and all unauthorized access or
theft of their Private Information.
126. LMC breached these implied contracts by failing to take, develop and implement
adequate policies and procedures to safeguard, protect, and secure the Private Information
belonging to Plaintiff and Class members; allowing unauthorized persons to access Plaintiff’s and
32
Class members’ Private Information; and failing to provide prompt, timely, and sufficient notice
of the Data Breach to Plaintiff and Class members, as alleged above.
127. As a direct and proximate result of LMC’s breaches of the implied contracts,
Plaintiff and Class members have been damaged as described herein, will continue to suffer
injuries as detailed above due to the continued risk of exposure of Private Information, and are
entitled to damages in an amount to be proven at trial.
COUNT IV
UNJUST ENRICHMENT
129. This count is brought in the alternative to Count III.
130. Plaintiff and the Class have a legal and equitable interest in their Private
Information that was collected and maintained by LMC.
131. LMC was benefitted by the conferral of Plaintiff’s and Class members’ Private
Information and by its ability to retain and use that information. LMC understood that it was in
fact so benefitted.
132. LMC also understood and appreciated that Plaintiff’s and Class members’ Private
Information was private and confidential and its value depended upon LMC maintaining the
privacy and confidentiality of that information.
133. But for LMC’s willingness and commitment to maintain its privacy and
confidentiality, Plaintiff and Class members would not have provided or authorized their Private
Information to be provided to LMC, and LMC would have been deprived of the competitive and
economic advantages it enjoyed by falsely claiming that its data-security safeguards met
reasonable standards. These competitive and economic advantages include, without limitation,
33
wrongfully gaining patients, gaining the reputational advantages conferred upon it by Plaintiff and
Class members, collecting excessive advertising and sales revenues as described herein, monetary
savings resulting from failure to reasonably upgrade and maintain data technology infrastructures,
staffing, and expertise raising investment capital as described herein, and realizing excessive
profits.
134. As a result of LMC’s wrongful conduct as alleged herein (including, among other
things, its deception of Plaintiff, the Class, and the public relating to the nature and scope of the
data breach; its failure to employ adequate data security measures; its continued maintenance and
use of the Private Information belonging to Plaintiff and Class members without having adequate
data security measures; and its other conduct facilitating the theft of that Private Information),
LMC has been unjustly enriched at the expense of, and to the detriment of, Plaintiff and the Class.
135. LMC’s unjust enrichment is traceable to, and resulted directly and proximately
from, the conduct alleged herein, including the compiling and use of Plaintiff’s and Class
members’ sensitive Private Information, while at the same time failing to maintain that information
secure from intrusion.
136. Under the common law doctrine of unjust enrichment, it is inequitable for LMC to
be permitted to retain the benefits it received, and is still receiving, without justification, from
Plaintiff and Class members in an unfair and unconscionable manner.
137. The benefit conferred upon, received, and enjoyed by LMC was not conferred
officiously or gratuitously, and it would be inequitable and unjust for LMC to retain the benefit.
138. LMC is therefore liable to Plaintiff and the Class for restitution in the amount of
the benefit conferred on LMC as a result of its wrongful conduct, including specifically the value
34
to LMC of the PII and medical information that was accessed in the Data Breach and the profits
LMC receives from the use and sale of that information.
139. Plaintiff and Class members are entitled to full refunds, restitution, and/or damages
from LMC and/or an order proportionally disgorging all profits, benefits, and other compensation
obtained by LMC from its wrongful conduct.
140. Plaintiff and Class members may not have an adequate remedy at law against LMC,
and accordingly, they plead this claim for unjust enrichment in addition to, or in the alternative to,
other claims pleaded herein.
COUNT V
INVASION OF PRIVACY
142. Plaintiff and Class members had a reasonable expectation of privacy in the Private
Information that LMC possessed and/or continues to possess.
143. By failing to keep Plaintiff’s and Class members’ Private Information safe, and by
misusing and/or disclosing their Private Information to unauthorized parties for unauthorized use,
LMC invaded Plaintiff’s and Class members’ privacy by:
a. Intruding into their private affairs in a manner that would be highly

offensive to a reasonable person; and
b. Publicizing private facts about Plaintiff and Class members, which is highly
offensive to a reasonable person.
144. LMC knew, or acted with reckless disregard of the fact that, a reasonable person in
Plaintiff’s position would consider LMC’s actions highly offensive.
145. LMC invaded Plaintiff’s and Class members’ right to privacy and intruded into
Plaintiff’s and Class members’ private affairs by misusing and/or disclosing their private
information without their informed, voluntary, affirmative, and clear consent.
35
146. As a proximate result of such misuse and disclosures, Plaintiff’s and Class
members’ reasonable expectation of privacy in their Private Information was unduly frustrated and
thwarted. LMC’s conduct amounted to a serious invasion of Plaintiff’s and Class members’
protected privacy interests.
147. In failing to protect Plaintiff’s and Class members’ Private Information, and in
misusing and/or disclosing their Private Information, LMC has acted with malice and oppression
and in conscious disregard of Plaintiff’s and Class members’ rights to have such information kept
confidential and private, in failing to provide adequate notice, and in placing its own economic,
corporate, and legal interests above the privacy interests of its millions of patients. Plaintiff,
therefore, seeks an award of damages, including punitive damages, individually and on behalf of
the Class.
PRAYER FOR RELIEF
WHEREFORE, Plaintiff, individually, and on behalf of all members of the Class,
respectfully requests that the Court enter judgment in their favor and against LMC, as follows:
A. That the Court certify this action as a class action, proper and maintainable pursuant
to Rule 23 of the Federal Rules of Civil Procedure; declare that Plaintiff is a proper
class representatives; and appoint Plaintiff’s Counsel as Class Counsel;
B. That Plaintiff be granted the declaratory relief sought herein;
C. That the Court grant permanent injunctive relief to prohibit LMC from continuing
to engage in the unlawful acts, omissions, and practices described herein;
D. That the Court award Plaintiff and Class members compensatory, consequential,
and general damages in an amount to be determined at trial;
E. That the Court award Plaintiff and Class members statutory damages, and punitive
or exemplary damages, to the extent permitted by law;
F. That the Court award to Plaintiff the costs and disbursements of the action, along
with reasonable attorneys’ fees, costs, and expenses;
G. That the Court award pre- and post-judgment interest at the maximum legal rate;
36
H. That the Court award grant all such equitable relief as it deems proper and just,
including, but not limited to, disgorgement and restitution; and
I. That the Court grant all other relief as it deems just and proper.
DEMAND FOR JURY TRIAL
Plaintiff, individually and on behalf of the putative Class, demands a trial by jury on all
issues so triable.
Respectfully Submitted,
By: s/ James M. Griffin

James M. Griffin, Esq., Fed. ID No. 1053
Margaret N. Fox, Esq., Fed. ID No. 10576
Griffin Humphries, LLC
4408 Forest Dr., Suite 300
P.O. Box 999 (29202)
Columbia, South Carolina, 29206
Telephone: (803) 744-0800
jgriffin@griffinhumphries.com
mfox@griffinhumphries.com
Badge Humphries, Esq., Fed. ID No. 9550

Griffin Humphries, LLC
2113 Middle Street, Suite 305
Sullivan’s Island, South Carolina 29482
(843) 883-7444
bhumphries@griffinhumphries.com
Daniel O. Herrera*
Nickolas J. Hagman*
Mohammed A. Rathur*
CAFFERTY CLOBES MERIWETHER
& SPRENGEL LLP
135 S. LaSalle, Suite 3210
Chicago, Illinois 60603
Telephone: (312) 782-4880
Facsimile: (312) 782-4485
dherrera@caffertyclobes.com
nhagman@caffertyclobes.com
mrathur@caffertyclobes.com
* Pro Hac Vice forthcoming
37
Attorneys for Plaintiff and the Proposed Class
Columbia, South Carolina

February 28, 2024
38

The Lawsuit

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Lawsuit

Uploaded by

Copyright:

Available Formats

3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 1 of 38

UNITED STATES DISTRICT COURT

Michelle Lynn Sutherland, individually, and 3:24-cv-1016-SAL

LEXINGTON MEDICAL CENTER JURY TRIAL DEMANDED

CLASS ACTION COMPLAINT

counsel as to all other matters, as follows.

1. Lexington Medical Center is a healthcare network based out of West Columbia,

information (collectively, “private health information” or “PHI”), (collectively, “Private

3. On October 4, 2023, LMC experienced a data breach incident in which

Information concerning Plaintiff and Class members.

unauthorized third parties from accessing this data.

6. Ultimately, LMC failed to fulfill this obligation, as unauthorized cybercriminals

provided such information to LMC.

8. LMC’s subsequent handling of the breach was also deficient.

9. As a result of LMC’s negligent, reckless, intentional, and/or unconscionable failure

members suffered injuries, but not limited to:

• Lost or diminished value of their Private Information;

• Out-of-pocket expenses associated with the prevention, detection, and

• Lost opportunity costs associated with attempting to mitigate the actual

• Time needed to investigate, correct and resolve unauthorized access to their

• The continued and increased risk of compromise to their Private

of their Private Information.

Plaintiff Michelle Sutherland

and throughout South Carolina.

III. JURISDICTION AND VENUE

same case or controversy.

this District and because LMC resides in this District.

IV. FACTUAL ALLEGATIONS

and Class members.

B. The Data Breach

20. According to LMCs’ public statements, cybercriminals breached an LMC

Personal Identifiable Information (“PII”) and Protected Health Information(“PHI”) pertaining to

about 1.7 million current and former patients of LMC.

LMC has yet to uncover evidence of misuse. See Exhibit A at 1-2.

individuals was compromised in this incident.

C. LMC’s Many Failures Both Prior to and Following the Breach

proximate, and foreseeable results of multiple failings on the part of LMC.

24. First, LMC inexcusably failed to implement reasonable security protections to

safeguard its information systems and databases.

provided such information to LMC.

and Class members.

identities will be (or already have been) stolen and misappropriated.

healthcare data, is immutable.

security failures, allowed unauthorized individuals to access, misappropriate, and misuse

long-term consequences of the Data Breach.

D. Data Breaches Pose Significant Threats

particular, is an invaluable commodity and a frequent target of hackers.

and triple the number of compromises in 2012. 4

2015 to 422 million in 2022, which is an increase of nearly 50%. 6

and passports retailing for as little as $15 apiece. 7

34. In addition, the severity of the consequences of a compromised social security

other serious financial difficulties for victims:

information to purchase prescriptions for sale in the drug trade. 14

36. The wrongful use of compromised medical information is known as medical

increase in the crime. 17

protection of consumers’ personal data, including recent cases concerning health-related

customer and patient information. 19

fraudulent credit card accounts in their names.

have accessed certain current or former patients’ Social Security Numbers.

medical devices and treatments, and other medical benefits.

providers—malevolent actors are able to build a comprehensive medical profiles of millions of

for its current and former patients.